[oe] [meta-oe][dunfell][PATCH] xterm: CVE-2022-24130 Buffer overflow in set_sixel in graphics_sixel.c

Fri, 24 Jun 2022 05:18:18 -0700 

Source: https://github.com/ThomasDickey/xterm-snapshots/
MR: 115675
Type: Security Fix
Disposition: Backport from 
https://github.com/ThomasDickey/xterm-snapshots/commit/1584fc227673264661250d3a8d673c168ac9512d
ChangeID: 6ad000b744527ae863187b570714792fc29467d9
Description:
         CVE-2022-24130 xterm: Buffer overflow in set_sixel in graphics_sixel.c.

Signed-off-by: Hitendra Prajapati <hprajap...@mvista.com>
---
 .../xorg-app/xterm/CVE-2022-24130.patch       | 84 +++++++++++++++++++
 .../recipes-graphics/xorg-app/xterm_353.bb    |  2 +-
 2 files changed, 85 insertions(+), 1 deletion(-)
 create mode 100644 meta-oe/recipes-graphics/xorg-app/xterm/CVE-2022-24130.patch

diff --git a/meta-oe/recipes-graphics/xorg-app/xterm/CVE-2022-24130.patch 
b/meta-oe/recipes-graphics/xorg-app/xterm/CVE-2022-24130.patch
new file mode 100644
index 000000000..b7a5f297a
--- /dev/null
+++ b/meta-oe/recipes-graphics/xorg-app/xterm/CVE-2022-24130.patch
@@ -0,0 +1,84 @@
+From 85666286473f2fbb2d4731d4e175f00d7a76e21f Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajap...@mvista.com>
+Date: Tue, 21 Jun 2022 10:53:01 +0530
+Subject: [PATCH] CVE-2022-24130
+
+Upstream-Status: Backport 
[https://github.com/ThomasDickey/xterm-snapshots/commit/1584fc227673264661250d3a8d673c168ac9512d]
+CVE: CVE-2022-24130
+Signed-off-by: Hitendra Prajapati <hprajap...@mvista.com>
+
+Description: Cherry-pick sixel graphics fixes from xterm 370d and 370f
+ Check for out-of-bounds condition while drawing sixels, and quit that
+ operation (report by Nick Black, CVE-2022-24130).
+Bug-Debian: https://bugs.debian.org/1004689
+
+---
+ graphics_sixel.c | 22 +++++++++++++++++-----
+ 1 file changed, 17 insertions(+), 5 deletions(-)
+
+diff --git a/graphics_sixel.c b/graphics_sixel.c
+index 00ba3ef..6a82295 100644
+--- a/graphics_sixel.c
++++ b/graphics_sixel.c
+@@ -141,7 +141,7 @@ init_sixel_background(Graphic *graphic, SixelContext const 
*context)
+     graphic->color_registers_used[context->background] = 1;
+ }
+ 
+-static void
++static Boolean
+ set_sixel(Graphic *graphic, SixelContext const *context, int sixel)
+ {
+     const int mh = graphic->max_height;
+@@ -162,7 +162,10 @@ set_sixel(Graphic *graphic, SixelContext const *context, 
int sixel)
+          ((color != COLOR_HOLE)
+           ? (unsigned) graphic->color_registers[color].b : 0U)));
+     for (pix = 0; pix < 6; pix++) {
+-      if (context->col < mw && context->row + pix < mh) {
++      if (context->col >= 0 &&
++          context->col < mw &&
++          context->row + pix >= 0 &&
++          context->row + pix < mh) {
+           if (sixel & (1 << pix)) {
+               if (context->col + 1 > graphic->actual_width) {
+                   graphic->actual_width = context->col + 1;
+@@ -175,8 +178,10 @@ set_sixel(Graphic *graphic, SixelContext const *context, 
int sixel)
+           }
+       } else {
+           TRACE(("sixel pixel %d out of bounds\n", pix));
++          return False;
+       }
+     }
++    return True;
+ }
+ 
+ static void
+@@ -451,7 +456,10 @@ parse_sixel(XtermWidget xw, ANSI *params, char const 
*string)
+               init_sixel_background(graphic, &context);
+               graphic->valid = 1;
+           }
+-          set_sixel(graphic, &context, sixel);
++          if (!set_sixel(graphic, &context, sixel)) {
++            context.col = 0;
++            break;
++          }
+           context.col++;
+       } else if (ch == '$') { /* DECGCR */
+           /* ignore DECCRNLM in sixel mode */
+@@ -529,8 +537,12 @@ parse_sixel(XtermWidget xw, ANSI *params, char const 
*string)
+               graphic->valid = 1;
+           }
+           for (i = 0; i < Pcount; i++) {
+-              set_sixel(graphic, &context, sixel);
+-              context.col++;
++              if (set_sixel(graphic, &context, sixel)) {
++                context.col++;
++              } else {
++                context.col = 0;
++                break;
++              }
+           }
+       } else if (ch == '#') { /* DECGCI */
+           ANSI color_params;
+-- 
+2.25.1
+
diff --git a/meta-oe/recipes-graphics/xorg-app/xterm_353.bb 
b/meta-oe/recipes-graphics/xorg-app/xterm_353.bb
index 264320212..1862b250e 100644
--- a/meta-oe/recipes-graphics/xorg-app/xterm_353.bb
+++ b/meta-oe/recipes-graphics/xorg-app/xterm_353.bb
@@ -7,8 +7,8 @@ LIC_FILES_CHKSUM = 
"file://xterm.h;beginline=3;endline=31;md5=996b1ce0584c0747b1
 SRC_URI = "http://invisible-mirror.net/archives/${BPN}/${BP}.tgz \
            file://0001-Add-configure-time-check-for-setsid.patch \
            file://CVE-2021-27135.patch \
+           file://CVE-2022-24130.patch \
           "
-
 SRC_URI[md5sum] = "247c30ebfa44623f3a2d100e0cae5c7f"
 SRC_URI[sha256sum] = 
"e521d3ee9def61f5d5c911afc74dd5c3a56ce147c7071c74023ea24cac9bb768"
 PACKAGECONFIG ?= ""
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#97589): 
https://lists.openembedded.org/g/openembedded-devel/message/97589
Mute This Topic: https://lists.openembedded.org/mt/91963026/21656
Group Owner: openembedded-devel+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to